Juniper ScreenOS DHCP Relay: “Use Interface as Source IP for VPN”

I had strange looking DHCP packets in my network as I tested around with DHCP relays on the Juniper SSG firewall. Some packets were blocked and I didn’t know why. After some troubleshooting it was clear that the checkmark “Use xy Zone Interface as Source IP for VPN” has a big impact in all environments even without the usage of a VPN!

I thought that a DHCP relay sends all its packets from its own IP address. Well, this was not true on the SSG firewall: By default the Juniper sends its DHCP relay agent packets with a source IP address from the interface that “looks” (routes) to the DHCP server and NOT from the real DHCP relay interface. Hmpf! Since I have another firewall between the Juniper and the DHCP server in place, I needed two unidirectional rules on that firewall. Not good.

After playing around with the “Use xy Zone Interface as Source IP for VPN” option inside the DHCP relay agent configuration on the GUI, I got the right configuration: This checkmark configures that the DHCP relay messages are sent from this interface IP address and not from any other address. This is how I thought it would be the default.

Lesson learned: Always check this option when configuring DHCP relays on the SSG!

Correct Configuration

(Note: Do not forget the “permit” security policy from the whole DHCP-enabled network zone to the DHCP server with service “DHCP-Relay”.)

Inside the GUI (Use xy Zone Interface as Source IP for VPN):

DHCP Relay Juniper SSG checkmark Source IP

Through the CLI (note the second command):

And centralized through NSM. Here it is called “Enable VPN Encryption“. (Oh oh, what an unclear description!):

DHCP Relay Juniper SSG checkmark Source IP NSM

Screenshots without the correct Checkmark Setting

This is how the DHCP request packet looks like when it is sent from the interface that points to the DHCP server. It has an DHCP value “Relay agent ip address” with its real DHCP relay interface IP address:

DHCP Relay Juniper SSG without Source IP for VPN Wireshark

That is: The intermediate firewall needed two security rules since the answer packet was sent in a new session from the DHCP server to the real DHCP relay interface IP address.

This is the DHCP server log (isc-dhcp-server) which reveals that the Relay agent was the real DHCP relay interface (first line “via 192.168.110.1”) though the packet arrived from a different layer 3 IP address:

 

Leave a Reply

Your email address will not be published. Required fields are marked *